Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a7e26759af6012ba56a6b9c7a46e2179
-
SHA1
47d8d54fc9984937a86f310880660463828039c6
-
SHA256
ea2751585258f3838bbfcd95d3ba740e5f80354d017f6fcee8c2c12c5bf1594d
-
SHA512
2729a61016127113ccc891448bf8be88d290f9cd3d82bc6c56521dd291307e09f4e3e907d326b06570acdf9d4736407f0adef6bd2b103903249a8b40f4d51fcb
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAM:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2679) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3064 mssecsvc.exe 2788 mssecsvc.exe 2508 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D1E6AAB7-D2FE-46B4-B8C7-DF3894AF7DEA}\WpadDecisionTime = 40e1b8a10cbeda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-80-0a-d1-54-46\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D1E6AAB7-D2FE-46B4-B8C7-DF3894AF7DEA} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-80-0a-d1-54-46\WpadDecisionTime = 40e1b8a10cbeda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0091000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D1E6AAB7-D2FE-46B4-B8C7-DF3894AF7DEA}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D1E6AAB7-D2FE-46B4-B8C7-DF3894AF7DEA}\de-80-0a-d1-54-46 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D1E6AAB7-D2FE-46B4-B8C7-DF3894AF7DEA}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D1E6AAB7-D2FE-46B4-B8C7-DF3894AF7DEA}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-80-0a-d1-54-46 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-80-0a-d1-54-46\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1956 wrote to memory of 2120 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 2120 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 2120 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 2120 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 2120 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 2120 1956 rundll32.exe rundll32.exe PID 1956 wrote to memory of 2120 1956 rundll32.exe rundll32.exe PID 2120 wrote to memory of 3064 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 3064 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 3064 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 3064 2120 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3064 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2508
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD50e385950e7210bba989540cbc41a982b
SHA1c1b50c80be5c5094f97835f283bc0bf183d018b5
SHA256a73d1495bbac556ed8c4b6dab883f87929a566a8d65db2e95308e3082b207fcc
SHA512c9bf020b34f14790a7479e839d5b7c5946c1c09c0e2713d302088c651c75f3e6e295d41130db972a0adef1e697bdba6c1c554d16e587628ccb92952d0a7e50ea
-
Filesize
3.4MB
MD5dd2435f261e4fa0a098d761847610b31
SHA1c277ea09565541d120eb38d21e6df06a6ae8855b
SHA2566d234a780e094198adbcbb8e31b943b0a81f56ea130a86f62d2f003cf19ae21a
SHA512eb716d8b5aff90fcfd03cab3aeae1be04d4346d20b68e28c49dc9442d9ca60f32a098061cdce5cf3f4087541413130cb5279f4bb334d1d65da013bb18b2f50fc